Hot Topics
Analytics & Intelligence Application Security Blockchain Cloud Security Cyberlaw Cybersecurity Data Security DevOps Digital Currency Featured Governance, Risk & Compliance Incident Response Malware Network Security News Security Awareness Security Boulevard (Original) Spotlight Threat Intelligence Threats & Breaches Vulnerabilities 

REvil Makes Monkeys out of Kaseya Customers

by Richi Jennings on July 6, 2021

Over the long weekend, a huge ransomware attack emerged. Kaseya, the IT management software supplier, seems to have been the common component used by the criminals to do their dirty deeds.

Many commentators are calling it a supply chain attack. But is that really true? And what’s up with the $70 million bulk-buy discount ransom being further discounted to $50 million?

Things look bad for the ransomware gang. In today’s SB Blogwatch, we have little sympathy.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: This song plants trees.

Wise: No REvil

What’s the craic? Raphael Satter and Praveen Menon report—“Hackers behind ransomware outbreak lower demand to $50 mln”:

Bitten off more than they could chew
The hackers who have claimed responsibility for an international ransomware outbreak have lowered their asking price. … The REvil ransomware gang, also known as Sodinokibi, is publicly demanding $70 million to restore the data it’s holding ransom after their data-scrambling software affected hundreds of small and medium businesses.

But in a conversation with Jack Cable of the cybersecurity-focused Krebs Stamos Group, one of the gang’s affiliates said he could sell a “universal decryptor” … for $50 million. … “It makes you wonder if they’re having a hard time getting people to pay,” he said.

Another expert … Allan Liska … said that the hackers, by encrypting so much data from so many businesses at once, may have bitten off more than they could chew: “For all of their big talk on their blog, I think this got way out of hand.”

How did it work? Mark Loman, Sean Gallagher and Anand Ajjan call it a “supply chain exploit”:

Systems management platforms exploited
The Kaseya Agent Monitor … AGENTMON.EXE … in turn wrote out the Base64-encoded malicious payload AGENT.CRT to the VSA agent “working” directory for updates (by default, C:\KWORKING\). AGENT.CRT is encoded to prevent malware defenses from performing static file analysis with pattern scanning and machine learning when it is dropped.

There are some factors that stand out in this attack when compared to others. First, because of its mass deployment, this REvil attack makes no apparent effort to exfiltrate data. Attacks were customized to some degree based on the size of the organization, meaning that REvil actors had access to VSA server instances and were able to identify individual customers of MSPs as being different from larger organizations. And there was no sign of deletion of volume shadow copies—a behavior common among ransomware that triggers many malware defenses.

While zero-day supply-chain exploits are rare, we’ve already seen two major systems management platforms exploited in the past year. While Sunburst was apparently a state-funded attack, ransomware operators clearly have the resources to continue to acquire additional exploits.

But should we really be calling this a “supply chain” attack? Simon Sharwood says not—“Kaseya says it’s seen no sign of supply chain attack”:

No evidence
It’s been unable to find signs its code was maliciously modified. [It’s] offered its users a ray of hope with news that it is testing a patch for its on-prem software and is considering restoring its SaaS services on Tuesday.

Kaseya has advised its users to pull the plug on their on-prem VSA servers, so news that a fix is imminent will be welcome — but news that it will arrive later than the SaaS fix will not. And of course, patches for enterprise software are not simple affairs — there’s every chance users will have plenty of work to do once the fix is applied.

The company has also posted an initial analysis of the attack that states it has found “no evidence that Kaseya’s VSA codebase has been maliciously modified. The attackers were able to exploit zero-day vulnerabilities in the VSA product to bypass authentication and run arbitrary command execution. This allowed the attackers to leverage the standard VSA product functionality to deploy ransomware.”

O RLY? DIVD’s Victor Gevers opens the kimono—“Case Update”:

Structural weaknesses
Yes, Wietse Boonstra … has previously identified a number of the zero-day vulnerabilities [CVE-2021-30116] which are currently being used in the ransomware attacks. And yes, we have reported these vulnerabilities to Kaseya under responsible disclosure guidelines (aka coordinated vulnerability disclosure).

We spotted a trend where more and more of the products that are used to keep networks safe and secure are showing structural weaknesses. After this crisis, there will be the question of who is to blame.

But what you call it isn’t the point. Here’s Terry 6 with three points:

There is no excuse
1) There were zero day vulnerabilities (OK stuff happens and big software jobs will have nasties lurking down below) … and

2) The bad guys were able to find these and use them, but

3) Kaseya either weren’t able to find their own bugs, didn’t look for them, or didn’t fix them.

This is software that gives intimate access to users and users’ customers. There is no excuse. … It’s not just a software product, it’s an invasive software product.

Let’s return to this question of the ransom discount. Jack Cable—@jackhcable—relates the story:

They're having trouble
REVil is now asking for $50 million. … Quickly lowering prices makes me wonder if they’re getting desperate.

They also now allow victims to pay in Bitcoin in addition to Monero, which may be another sign that they’re having trouble getting people to pay. Has the side effect of making it easier to track.

“Only” $50M? puddingebola sounds slightly sarcastic:

Bargain
Very kind. Very nice of them to knock 28% off the price.

I’m sure their clients will appreciate it. They should snatch that bargain up right away.

How does the $50M or $70M compare with the per-victim price? zimpenfish does the math:

Buy it now
Technically they’re asking for a $45B ransom if it’s $45K per system and their claim of 1M infected systems is correct. $70M is just the “buy it now” price.

$45K here, $45K there—pretty soon you’re talking serious money. Like LenKagetsu does:

If you can spend millions on ransom you can spend millions on IT security.

Meanwhile, this Anonymous South African Coward is feeling treasonous:

/me goes off to Reddit to look for rants from sysadmins whose 4th was ruined.

And Finally:

This song plants trees

Hat tip: b3ta

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Johannes Krupinski (via Unsplash)

Recent Articles By Author
More from Richi Jennings
Richi Jennings , , , , ,

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 605 posts and counting.See all posts by richi